> ESC
↑↓ navigate select esc close
← Achievements

CVE-2026-32713: PX4 Autopilot MAVLink FTP Session Validation Logic Error

📅 2026-03-13 📂 Vulnerability Discovery 3 min read CVSS 4.3
CVEPX4MAVLinkLogic ErrorDoSSession Bypass
CVSS
4.3 MEDIUM
👥Estimated Impact: 15,000+ customers
TL;DR:
A logic error in the session validation of PX4's MAVLink FTP implementation allows operations on invalid file descriptors and session isolation bypass.

Summary

A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks.

CVE ID: CVE-2026-32713
Advisory: GHSA-pp2c-jr5g-6f2m
Affected Versions: PX4 Autopilot ≤ 1.17.0-rc1

Vulnerability Details

The vulnerability is a straightforward logic error in src/modules/mavlink/mavlink_ftp.cpp where two functions use && (logical AND) instead of || (logical OR) for session validation, diverging from the correct implementation used in other functions.

Correct Implementation (_workRead)

The _workRead function correctly rejects requests when either the session ID is wrong or the file descriptor is invalid:

// mavlink_ftp.cpp:559 -- CORRECT: uses || (logical OR)
MavlinkFTP::ErrorCode
MavlinkFTP::_workRead(PayloadHeader *payload)
{
    if (payload->session != 0 || _session_info.fd < 0) {
        return kErrInvalidSession;
    }
    // ... proceeds with read
}

Buggy Implementation (_workBurst and _workWrite)

The _workBurst and _workWrite functions incorrectly use &&:

// mavlink_ftp.cpp:597 / 618 -- BUG: uses && (logical AND)
if (payload->session != 0 && _session_info.fd < 0) {
    return kErrInvalidSession;
}

This allows requests to pass if only one of the conditions is met (e.g., correct session but invalid FD, or wrong session but valid FD).

Proof of Concept

Scenario A: Operations on closed file descriptor (session=0, fd=-1)

An attacker can trigger a burst read on a closed file descriptor by sending a request with the default session ID (0) before any file is opened.

# Send kCmdBurstReadFile (opcode=15) with session=0
# session(0) != 0 --> false, fd(-1) < 0 --> true
# false && true --> false --> check skipped!
payload = make_ftp_payload(seq=1, session=0, opcode=15, size=0, offset=0)

Scenario B: Session ID isolation bypass (session!=0, fd>=0)

If a file is already open by a valid session, an attacker can access it using a different session ID.

# Send burst read with WRONG session ID (session=5)
# session(5) != 0 --> true, fd(N) < 0 --> false
# true && false --> false --> check bypassed!
payload = make_ftp_payload(seq=1, session=5, opcode=15, size=0, offset=0)

Impact

This vulnerability breaks the session validation in the MAVLink FTP protocol implementation.

  • Denial of Service: Triggering operations on invalid file descriptors can put the FTP subsystem into an inconsistent state, potentially blocking legitimate operations.
  • Session Bypass: Attackers can bypass session isolation to access files opened in other sessions.
  • Unexpected Side Effects: Triggering error code paths (like EBADF from lseek) may have unintended consequences on the flight controller's stability.

References